Security breaches from computer viruses, spyware, hacker attacks and theft of equipment are costing British business an estimated 10 billion pounds ($18 billion) a year, according to a survey on April 25.

The loss is 50 percent higher than the level calculated two years ago, said the study by consultancy PricewaterhouseCoopers for the Department of Trade and Industry.

The rise comes despite companies increasing their spending on information security controls to an average 4-5 percent of their IT budget from 3 percent in 2004.

One area of concern for security, the study warned, was the increasing number of user IDs and passwords employees were having to remember.

Larger companies, which tend to be more security-conscious, saw the number and cost of computer security breaches fall, but both rose at smaller firms where controls may be less rigorous.

Firms were asked how much the worst incident last year cost them. For large firms, the average loss was between 65,000 and 130,000 pounds, mostly accounted for by disruption to business.

At small companies, the average loss was between 8,000 and 17,000 pounds.

Industry Minister Alun Michael said while slightly fewer companies overall reported breaches than in 2004, there was no room for complacency.

"The cost of the damage caused by attacks on security has risen as the nature of the attacks has become more serious," he said.

"That's why it's crucial to have good security in place."

Virtually every UK company uses anti-virus software, but a quarter of businesses are not protected against the newer threat of spyware, which can lead to the loss of confidential information.

One in five corporate wireless networks is completely unprotected, with a further one in five operating without encryption, allowing outsiders to eavesdrop on company communications.

Chris Potter from PricewaterhouseCoopers said British business had become more aware of the risks of IT crime, but added that some firms "still seem to believe they are immune to the dangers and don't have even basic security controls in place."

"This is particularly worrying as we see new technologies emerging that pose new threats to UK plc."

Poor IT procedures can make companies vulnerable. The study found that employees have on average to remember three different user IDs and passwords, while in two percent of companies staff have to recall 10 different IDs.

"The more IDs and passwords users have to remember, the more likely the business is to have had unauthorised access," the report said.

PricewaterhouseCoopers interviewed 1,000 companies between October 2005 and January 2006 for the DTI Information Security Breaches Survey.

(www.financialexpress.com)